Feeds

Energy firms' security so POOR, insurers REFUSE to take their cash

They're turning down MULTI-MILLION pound contracts...

Using blade systems to cut costs and sharpen efficiencies

Underwriters are reportedly refusing to insure energy firms because poor security controls are leaving them wide open to attacks by hackers and malware infestations.

Lloyd's of London told the BBC they had seen a surge in requests for insurance from energy sector firms but poor test scores from security risk assessors means that insurers are turning down potential multi-million pound contracts.

"In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London, told the Beeb. "They are all worried about their reliance on computer systems and how they can offset that with insurance."

Infosec experts called in to review energy sector systems come back with negative reviews. And that means offering "safety net" insurance against breaches is not viable as a business proposition.

"We would not want insurance to be a substitute for security," Khudari explained.

Lloyd's operates a world renowned marketplace that offers a means to obtain commercial insurance for anything from container ships to large development projects. Insurance firms have been offering data breach insurance since at least 2009, if not earlier.

Specialist insurance firm Beazley’s client roster includes 30 per cent of the world’s top 200 oil and gas companies, as well as major banking and financial institutions. Last December the firm announced it had helped its clients recover from a combined total of 1,000 security breaches over the years. Most of Beazley’s services focus on incident response.

Separately, Allianz Global Corporate & Specialty recently unveiled a suite of products to protect businesses against issues that can arise from a serious cyber attack or data breach.

Industrial control plants at power utilities and other energy sector firms, as elsewhere, rely on SCADA (Supervisory Control and Data Acquisition) technology. These legacy systems are increasingly being connected to the internet, essentially to make them easier to manage remotely. At the same time, more and more security problems are being discovered by security researchers investigating industrial plant security in the wake of the infamous Stuxnet worm, which has made research into the formerly overlooked topic "sexy".

More and more problems are being discovered in crucial systems that are rarely patched and this creates a recipe for disaster.

Jonathan Roach, principal security consultant at Context Information Security, told El Reg: "SCADA systems have not been patched in years for various reasons: isolation of SCADA networks making the process of patching awkward; lack of motivation to perform what is sometimes seen as a risky process to a critical plant component; terms of software support contracts".

With all this in mind, it's no great surprise to find underwriters turning down lucrative energy sector insurance contracts.

Chris McIntosh, chief exec of ViaSat UK, which provides security and secure communications for clients including US energy companies, said problems obtaining insurance are a symptom of a wider malaise.

"Energy firms seeking insurance against cyber-attacks shows the vulnerability of our critical infrastructure is finally hitting home," McIntosh said. "According to a recent Zpryme Research study, half of infrastructure providers in the US believed electrical networks were insecure. While previously, attacking national energy or resource infrastructure would have involved compromising dedicated communication networks, the modernisation of these networks has made them part of the internet and so more vulnerable than ever.

"However, insurance is only a plaster over these underlying weaknesses. Organisations need to act now to protect their networks and address the unique nature of interconnected real-time control systems. Encryption of data in transit and rigorous authentication protocols, for example, should become de rigueur,” said McIntosh.

“Unless energy companies demonstrate they are taking the necessary precautions, insurers will keep them at arm’s length, public trust will fall, and the resilience of the country’s critical national infrastructure will inevitably suffer as a result," he added.

Thales UK maintains the control systems for British Energy plants in the UK and is also involved in the building of the Hinkley Point B nuclear power station.

Tony Burton, critical national infrastructure protection business lead at Thales UK said ageing legacy systems at power plants need to be secured one way another. He suggested the insurance firms' stance has the potential to serve as a much needed wake-up call.

"Legacy systems, often built before the internet existed, were simply not designed with the levels of interconnection and security threat we see today," Burton said. "Even systems that have remained isolated from the internet and business IT systems are vulnerable to threats that can ‘leap the air-gap’ via process, people and physical (eg, USB stick) vectors.

"Energy firms and other areas of critical national infrastructure are beginning to face up to this challenge and are increasingly recognising that good security is good business.”

“The insurance issue and contingency holdings are prime examples of how good security can have a positive effect on the bottom line results of these companies,” continued Burton. “However, the security of these operations is not a simple challenge and this is what the insurers are beginning to recognise." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.